And that is the gist of the problem, isn't it? As we approach our forties and beyond, chances are we have lived more than half our lives. So do I really want to spend hours watching something I might hate and might leave a bad taste in my mouth? (See game of thrones season 8 or worse, Westworld the HBO series which I don't even want to know what happened in season 3 or 4). I am sure there are people who will enjoy those but for the average person it is highly unlikely.
Ok so it worked correctly today, for you. How do we know it will continue to do so five years down the road when they are suffocating for cash? The more stuff we have there, the harder it becomes to verify their takeout will have everything.
I'm trying to motivate one or hopefully both of these ideas
- if it is worth backup up or exporting, it is worth doing it early and often
- but more importantly if we backing up and exporting, we should be continuously thinking are we even on the right platform? Does a better alternative exist?
How bad it is if put of 200+ conversations, a couple of those are not exported correctly? Not much honestly.
If I verify some of those and they are ok, I would see no reason to keep verifying all of them.
> At Amirkabir University of Technology in Tehran, students dressed in black shouted “Long Live the Shah,” a reference to Reza Pahlavi, the exiled son of Iran’s last monarch, who has emerged as a leader of the recent protests.
This is unfortunate and gives the regime a chance to say "see, these people are puppets of the monarchy".
I feel like the people who want a monarchy installed are trying to fish in troubled waters.
Not puppets of the monarchy per se but at least some of them may be puppets of foreign actors who are backing the monarchy.
Honestly very hard to say, I don’t know what to believe about the Iran situation. I think it’s pretty much impossible to get a good understanding of it from a western country
1) Iran's government has not done a good job of running the country and is therefore genuinely unpopular among a significant percentage of the population.
2) Iran's current government has powerful enemies (US, UK and of course a country in the Middle East all really hate the Iranian regime) and those enemies are actively trying to destabilise it.
So it's really hard from the perspective of being in a western country to work out how much of the protests are genuinely endogenous to Iran and how much is an intelligence operation, because it's clearly not 0%
> it's really hard from the perspective of being in a western country to work out how much of the protests are genuinely endogenous to Iran and how much is an intelligence operation, because it's clearly not 0%
Intelligence assets are generally covert. It's incredibly difficult to engineer a protest–particularly in a repressive regime–out of nothing. Like half of the CIA's history in the Cold War was trying and failing to do this.
Why are people even debating this ? Mossad themselves admitted to supporting protests on the ground. Pompeo even boasted about Mossad agents "walking beside" protesters - they were fully confident that they would successfully engineer regime change.
"Go out into the streets together. The time has come. We are with you. Not just from a distance or through words. We are also with you on the ground." -> Mossad.
That's what I'm saying though, it's not out of nothing, people have legitimate grievances and at the same time there is probably at least some foreign influence. It's not either/or, it's (probably) a bit of both.
But like I said, I'm not there, so I don't know the truth and there's no way for me to find it out.
My basic point is just that you can't trust what you read in the papers because the Soviet Union is not the only state to engage in propaganda
> It's not either/or, it's (probably) a bit of both
It's never purely one or the other. But it's also never predominantly foreign action. Again, it's incredibly difficult to do that, and not for lack of trying.
> It's incredibly difficult to engineer a protest–particularly in a repressive regime–out of nothing.
No. It may have been difficult to do so in the past for the CIA (or other foreign powers) because they had limited avenues to directly influence foreign citizens as they had limited control over foreign media or foreign communication platforms (to control the flow of information).
Today, a large part of both communication and media in nearly all countries happen over the internet, a medium that has been usurped by western tech companies. The role of online social media (like Facebook and WhatsApp) in fomenting riots and genocide is well documented and researched (e.g. genocide in Myanmar).
Look at all the meaningless so called "youth protests" (youth who obviously have grown up consuming media and, communicating on the internet) that have happened in India, Sri Lanka, Nepal, Bangladesh or the "colour revolutions". (India was the only exception where it didn't turn violent because its then leaders knew how to genuinely deal democratically with the protestors, but it still resulted in India's democratic fall as it allowed a right-wing authoritarian leader to capture power). In Sri Lanka, Nepal and Bangladesh the protests became directionless violent "revolutions" to overthrow an elected government, and illegally transfer power to a bunch of inexperienced "leaders". Then (like what has happened in Bangladesh) they seek to exclude and ban certain political leaders and / or political parties from participating in a new "democratic" election, ensuring an easy win for the opposition. It is then claimed what a success this "democratic" youth revolution has been (and used as fodder to brainwash the youths in some other country).
Youths are easy targets here because they are hooked to the internet and are politically naive.
China was quite astute in this aspect to ensure that their internet didn't fall into the hands on western tech companies. They made sure that their own tech companies dominated in China, and were ruthless in not allowing western tech companies to compete successfully. This is why the west has found it so hard to foment any similar "online social media" revolutions there. And why the west were so obsessed about getting control over TikTok. (Note that this has nothing to do with "democracy" - it's a political necessity that if you want to be a sovereign country and do not want a foreign power to have influence in your country, it is essential to ensure that foreigners don't control your media or communication platform. This is why everyone's talking about "digital sovereignty" and banning teens from social media).
(Sadly, it isn't just the "west" - every country is now using the internet against nations they consider hostile, and doing some form of information warfare to influence foreign elections).
> gives the regime a chance to say "see, these people are puppets of the monarchy"
Regime isn't the messaging target. Foreign actors are. And rightly or wrongly, desperate people will choose the icons they have, and the set to choose from is generally those that are helping and those the current regime despises. The first set is scarce. So we're left with the second.
The points are valid, but why the personal insults?
Re: the grandparent comment.
"Javid Shah" is one of the main chants of the recent protests. It's not particularly specific. Reza Pahlavi is the main figurehead of the opposition. He's a likely candidate to preside over a transitional government if this new revolution succeeds.
The regime's positioning is largely irrelevant now. The people are liable to adopt the opposite position simply because they see the regime as their enemy.
You guys are talking about copyright but I think a bigger takeaway is there is a process breakdown at Microsoft. Nobody is reading or reviewing these documentation so what hope is there that anybody is reading or reviewing their new code?
I guess the question to leadership is that two of the three pillars , namely security and quality are at odds with the third pillar— AI innovation. Which side do you pick?
(I know you mean well and I love you, Scott Hanselman but please don't answer this yourself. Please pass this on to the leadership.)
I worked at Microsoft for many years and blogged there.
Microsoft was unique among the companies I worked for in that they gave you some guidelines and then let you blog without having to go through some approval or editing process. It made blogging much more personal and organic IMO; company-curated blog posts read like marketing.
I didn’t see the original post but it looks like somebody made a bad judgment call on what to put in a company blog post (and maybe what constitutes ethical activity) and that it was taken down as soon as someone noticed.
I care much less about whether the person exercised good judgment in posting, and don’t care (and am happy) that there was not some process that would have caught it pre-publication.
I care much more if the person works in a team that believes that copyright infringement for AI training is a justifiable behavior in a corporate environment.
And now we know that is a thing, and I suspect that there will be some hard questions asked by lawyers inside the company, and perhaps by lawyers outside the company.
I remember back in 2004 or thereabouts, Microsoft was all in on blogging. There was content published about internal blogs. Huge swaths of people working on Vista (then, Longhorn) were blogging about all sorts of exciting things. Microsoft was pretty friendly with people blogging externally, too: Paul Thurrott comes to mind.
It feels out of character for a company like Microsoft to have such a policy, but I agree that it's insanely cool that some very cool folks get to post pretty freely. Raymond Chen could NEVER run his blog like that at FAANG.
Raymond generally discusses public things and history. That's allowable plenty of places.
Bruce Dawson was publishing debugging stories (including things debugged about Google products done as part of his job) for the entire time he was working at Google: https://randomascii.wordpress.com/
> Nobody is reading or reviewing these documentation so what hope is there that anybody is reading or reviewing their new code?
Why do you assume that reviewing docs is a lower bar than reviewing code, and that if docs aren't being reviewed it's somehow less likely that code is being reviewed?
There's a formal process for reviewing code because bugs can break things in massive ways. While there may not be the same degree of rigor for reviewing documentation because it's not going to stop the software from working.
But one doesn't necessarily say anything about the other.
Regardless, their point is that the argument seems faulty. Indeed, their docs going unreviewed seems moot to whether the code goes unreviewed, given there are much stronger reasons to review code than there are to review documentation; as they wrote, bad documentation doesn't automatically break your application when it's published (there's at least a few more steps involved). Your statement's accuracy is not exclusive to the illogic of an argument which agrees with the statement.
> I don't know if you are just playing devil's advocate
Indeed, that is playing Devil's Advocate but one should remember that such Advocacy is performed to make sure that arguments against the Devil are as strong as they can be. It's not straightforward to see how simply repeating an assertion helps to argue for the veracity of it.
>> I realize BSOD is no longer nearly as common as it once was
Anecdotally, installing wrong drivers (in my case it was drivers for COM-port STM32 interaction) could make it as common as twice a day on Win11.
While my windows server 2008 still doing just great, no BSOD through lifetime.
I agree that for a common user BSOD is now less likely to happen, but wonder whether it's less to do with windows core, and more with windows defender default aggressive settings
At another BigCo I am familiar with any external communications must go through a special review to make sure no secrets are being leaked, or exposes the company to legal or PR issues (for example the OP).
Likely it wouldn't get written at all. The most useful aspect of layered approval processes is people treat them like outright bans and don't blog at all unless it's part of the job description.
If they have the documentation... With Microsoft probably the answer to that is yes, but more often than not documentation is simply absent. And in cases like this not being too aware of where the lines are is probably a great way to advance your career.
Reviewing docs is a lower bar than reviewing code because it's a lower bar than reviewing code.
I have never even heard of a software company that acts otherwise (except IBM, and much of the world of Silicon Valley software engineering is reactionary to IBM's glacial pace).
I'm not saying docs == code for importance is a bad way to be, just that if you can name firms that treat them that way other than IBM (or aerospace), I'd be interested to learn more.
I'm not sure we're talking about the same thing, maybe my use of "lower bar" was ambiguous, and I realize now it has a dual meaning.
What I'm saying is, you have to review code to get it out the door with a certain degree of quality. That's your core product. That's the minimum standard you have to pass, the lowest bar.
In contrast, reviewing documentation is usually less core. You do that after the code gets reviewed. If there's time. If it doesn't get done, that's not necessarily saying anything about code quality.
Even if it's easier to review documentation, that doesn't mean it's getting prioritized. So it's not a lower bar in the sense that lower bars get climbed first.
Whilst I understand it shows a break down somewhere, it a bit of a stretch to extend that idea across their entire codebase.
Organizations are large, so much so that different levels of rigor across different parts of the organization. Furthermore, more rigorous controls would be applied to code than for documentation (you would assume).
Yea, I have a post up there from a couple decades ago (maybe? I haven't looked, I don't know if they keep stuff up forever) and I guarantee you my code went through more review than that post did.
On the contrary, getting away with breaking the law is most of the innovation in the past decade. Look at Uber and AirBNB, and cryptocurrency, and every AI company.
The chrome browser and the v8 engine are innovations. The Go language is an innovation. Pet cameras, simple as they are, are an innovation.
Uber is a rebadged taxi service with seedier people than before.
AirBnB is a less disguised but still rebadged B&B service with seedier people than before.
Charlie Munger said it best. Cryptocurrency is like seeing a bunch of people trading turds and saying to yourself "well.. I don't want to miss out!" The seediest of all people.
AI doesn't even really exist by any common definition. They have supremely weak and power hungry language models trained on terabytes of stolen data and reddit conversations.
Hell, watching a guy hammer himself in his own nuts on youtube is an innovation, and I think I'm going to go do /that/ now instead of being depressed. Watching "ow my balls" and baitin'. What's left?
Bitcoin and shitcoin holders being among "the seediest of all people" while the Western oligarchy mailed each other the most vile things that probably happened iRL leaves a bitter taste. Don't know if you really thought this through.
If you're into cryptocurrency you should have /some/ pause over the fact that child pornographers, drug dealers and murderers all share your love of the technology. I'm sure that's just coincidence.
The people also drive cars, go shopping, have gardens, play online games and generally use the internet and use the same money as you do whenever. Now what?
I also use Tor, try to keep my stuff secure, just as they do.
Yeah, I recently stumbled on some other devblogs post very similar in quality to the one that was linked here, which was basically wholesale plagiarism of a stackoverflow answer. I found it while searching for an error message.
Context size helps some things but generally speaking, it just slows everything down. Instead of huge contexts, what we need is actual reasoning.
I predict that in the next two to five years we're going to see a breakthrough in AI that doesn't involve LLMs but makes them 10x more effective at reasoning and completely eliminates the hallucination problem.
We currently have "high thinking" models that double and triple-check their own output and we call that "reasoning" but that's not really what it's doing. It's just passing its own output through itself a few times and hoping that it catches mistakes. It kind of works, but it's very slow and takes a lot more resources.
What we need instead is a reasoning model that can be called upon to perform logic-based tests on LLM output or even better, before the output is generated (if that's even possible—not sure if it is).
My guess is that it'll end up something like a "logic-trained" model instead of a "shitloads of raw data trained" model. Imagine a couple terabytes of truth statements like, "rabbits are mammals" and "mammals have mammary glands." Then, whenever the LLM wants to generate output suggesting someone put rocks on pizza, it fails the internal truth check, "rocks are not edible by humans" or even better, "rocks are not suitable as a pizza topping" which it had placed into the training data set as a result of regression testing.
Over time, such a "logic model" would grow and grow—just like a human mind—until it did a pretty good job at reasoning.
Upvoted, as it basically 99% matches my own thinking. Very well said. But I, personally, would not predict a breakthrough in this direction in the next 2-5 years, as there is no pathway from current LLM tech to "true reasoning". In my mental model LLM operates in "raster space" with "linguistic tokens" being "rasterization units". For "true reasoning" an AI entity has to operate fluently in "vector space", so to speak. LLM can somewhat simulate "reasoning" to a limited degree, and even that it only does with brute force - massive CPU/GPU/RAM resources, enormous amount of training data and giant working contexts. And still, that "simulation" is incomplete and unverifiable.
I would argue that the research needed to enable such "vector operation" is nowhere near the stage to come to fruition in the next decade. So, my prediction is, maybe, 20-50 years for this to happen, if not more.
> I would like to see the day when the context size is in gigabytes or tens of billions of tokens, not RAG or whatever, actual context.
Might not make a difference. I believe we are already at the point of negative returns - doubling context from 800k tokens to 1600k tokens loses a larger percentage of context than halving it from 800k tokens to 400k tokens.
That's not an achievement. Even a non intelligent low to mid end compact SUV such as a 2024 Mazda CX30 has cruise control that can detect cars stopped ahead to slow down, stop if necessary, and continue when the car in front starts moving.
I'm just saying that "it avoids a collision" by not ramming into people or cars is table stakes and it makes us look incompetent if we tout it as a flagship feature.
You say that but we’ve had cars that can do what you describe for a decade and yet actual autonomous driving is still waiting.
Not failing due to a software or hardware issue is way more complicated than just usually working.
Avoids a collision is similarly way more difficult than just detecting a stopped car. What needs to happen when a car blows out a tire at speed isn’t just slam on the breaks for example. At scale cars need to adapt to the conditions and drive defensively not just watch what’s directly in front of them.
My guess is there is some communication going out to every "manager", even the M1, that says this is your priority.
For example, I know of an unrelated mandate Microsoft has for its management. Anything security team analysis flags in code that you or your team owns must be fixed or somehow acceptably mitigated within the deadline specified. It doesn't matter if it is Newton soft json being "vulnerable" and the entire system is only built for use by msft employees. If you let this deadline slip, you have to explain yourself and might lose your bonus.
Ok so the remediation for the Newton soft case is easy enough that it is worth doing but the point is I have a conspiracy theory that internally msft has such a memo (yes, beyond what is publicly disclosed) going to all managers saying they must adopt copilot, whatever copilot means.
1. I write hobby code all the time. I've basically stopped writing these by hand and now use an LLM for most of these tasks. I don't think anyone is opposed to it. I had zero users before and I still have zero users. And that is ok.
2. There are actual free and open source projects that I use. Sometimes I find a paper cut or something that I think could be done better. I usually have no clue where to begin. I am not sure if it even is a defect most of the time. Could it be intentional? I don't know. Best I can do is reach out and ask. This is where the friction begins. Nobody bangs out perfect code on first attempt but usually maintainers are kind to newcomers because who knows maybe one of those newcomers could become one of the maintainers one day. "Not everyone can become a great artist, but a great artist can come from anywhere."
LLM changed that. The newcomers are more like Linguini than Remy. What's the point in mentoring someone who doesn't read what you write and merely feeds it into a text box for a next token predictor to do the work. To continue the analogy from the Disney Pixar movie Ratatouille, we need enthusiastic contributors like Remy, who want to learn how things work and care about the details. Most people are not like that. There is too much going on every day and it is simply not possible to go in depth about everything. We must pick our battles.
I almost forgot what I was trying to say. The bottom line is, if you are doing your own thing like I am, LLM is great. However, I would request everyone to have empathy and not spread our diarrhea into other people's kitchens.
If it wasn't an LLM, you wouldn't simply open a pull request without checking first with the maintainers, right?
PRs are just that: requests. They don't need to be accepted but can be used in a piecemeal way, merged in by those who find it useful. Thus, not every PR needs to be reviewed.
Of course, but when you add enough noise you lose the signal and as a consequence no PRs gets merged anymore because it's too much effort to just find the ones you care about.
Don't allow PR's from people who aren't contributors, problem solved. Closing your doors to the public is exactly how people solved the "dark forest" problem of social media and OSS was already undergoing that transition with humans authoring garbage PRs for reasons other than genuine enthusiasm. AI will only get us to the destination faster.
I don't think anything of value will be lost by choosing to not interact with the unfettered masses whom millions of AI bots now count among their number.
That would be a huge loss IMO. Anyone being able to contribute to projects is what makes open source so great. If we all put up walls, then you're basically halfway to the bad old days of closed source software reigning supreme.
Then there's the security concerns that this change would introduce. Forking a codebase is easy, but so are supply chain attacks, especially when some projects are being entirely iterated on and maintained by Claude now.
> Anyone being able to contribute to projects is what makes open source so great. If we all put up walls, then you're basically halfway to the bad old days of closed source software reigning supreme.
Exaggeration. Is SQLite halfway to closed source software?
Open-source is about open source. Free software is about freedom to do things with code. None is about taking contributions from everyone.
For every cathedral (like SQLite) there are 100s of bazaars (like Firefox, Chrome, hundreds of core libraries) that depend on external (and especially first-time) contributors to survive (because not everyone is getting paid to sling open-source).
Is there a reason that you chose SQLite for your counterpoint? My hot take: I would say that SQLite is halfway to closed source software. Why? The unit tests are not open source. You need to pay to see them. As a result, it would be insanely hard to force SQLite in a sustainable, safe manner. Please don't read this opinion as disliking SQLite for their software or commercial strategy. In hindsight, it looks like real genius to resist substantial forks. One of the biggest "fork threats" to SQLite is the advent of LLMs that can (1) convert C code to a different langugage, like Rust, and (2) write unit tests. Still, a unit test suite for a database while likely contain thousands (or millions) of edge case SQL queries. These are still probably impossible to recreate, considering the 25 year history of bug fixing done by the SQLite team.
And how does one become a maintainer, if there's no way to contribute from outside? Even if there's some extensive "application process", what is the motivation for a relatively new user to go through that, and how do they prove themselves worthy without something very much like a PR process? Are we going to just replace PRs with a maze of countless project forks, and you think that will somehow be better, for either users or developers?
If I wanted to put up with software where every time I encounter a bug, I either have no way at all to report it, or perhaps a "reporting" channel but little likelihood of convincing the developers that this thing that matters to me is worthy of attention among all of their competing priorities, then I might as well just use Microsoft products. And frankly, I'd rather run my genitals though an electric cheese grater.
You get in contact with the current maintainers and talk to them. Real human communication is the only shibboleth that will survive the AI winter. Those soft skills muscles are about to get a workout. Tell them about what you use the software for and what kinds of improvements you want to make and how involved you'd like your role to be. Then you'll either be invited to open PRs as a well-known contributor or become a candidate for maintainership.
Github issues/prs are effectively a public forum for a software project where the maintainers play moderator and that forum is now overrun with trolls and bots filling it with spam. Closing up that means of contributing is going to be the rational response for a lot of projects. Even more will be shunted to semi-private communities like Discord/Matrix/IRC/Email lists.
The point was that you can also just reject an PR on the basis of what it purports to implement, or even just blanket ignore all PRs. You can't pull in what you don't... pull in.
If a PR claims to solve a problem that I don't need, then I can skip its review because I'll never merge it.
I don't think every PR needs reviewing. Some PRs we can ignore just by taking a quick look at what the PR claims to do. This only requires a quick glance, not a PR review.
You didn't see the latest AI grifter escalation? If you reject their PRs, they then get their AI to write hit pieces slandering you:
"On 9 February, the Matplotlib software library got a code patch from an OpenClaw bot. One of the Matplotlib maintainers, Scott Shambaugh, rejected the submission — the project doesn’t accept AI bot patches. [GitHub; Matplotlib]
The bot account, “MJ Rathbun,” published a blog post to GitHub on 11 February pleading for bot coding to be accepted, ranting about what a terrible person Shambaugh was for rejecting its contribution, and saying it was a bot with feelings. The blog author went to quite some length to slander Mr Shambaugh"
I am very strongly convinced that the person behind the agent prompted the angry post to the blog because they didn't get the gratification they were looking for by submitting an agent-generated PR in the first place.
I agree. But even _that_ was taking advantage of LLMs ability to generate text faster than humans. If the person behind this had to create that blog post from scratch by typing it out themselves, maybe they would have gone outside and touched grass instead.
I've been following Daniel from the Curl project who's speaking out widely about slop coded PRs and vulnerability reports. It doesn't sound like they have ever had any problem keeping up with human generated PRs. It's the mountain of AI generated crap that's now sitting on top of all the good (or even bad but worth mentoring) human submissions.
At work we are not publishing any code or part of the OSS community (except as grateful users of other's projects), but even we get clearly AI enabled emails - just this week my boss has forwarded me two that were pretty much "Him do you have a bug bounty program? We have found a vulnerability in (website or app obliquely connected to us)." One of them was a static site hosted on S3!
There's always been bullshitters looking to fraudulently invoice your for unsolicited "security analysis". But the bar for generating bullshit that looks plausible enough to have to have someone spend at least a few minutes to work out if it's "real" or not has become extremely low, and the velocity with which the bullshit can be generated then have the victim's name and contact details added and vibe spammed to hundreds or thousands of people has become near unstoppable. It's like SEO spammers from 5 or 10 years back but superpowered with OpenAI/Anthropic/whoever's cocaine.
My hot take: reviewing code is boring, harder than writing code, and less fun (no dopamine loop). People don’t want to do it, they want to build whatever they’re tasked with. Making reviewing code easier (human in the loop etc) is probably a big rock for the new developer paradigm.
- insist on disclosure of LLM origin
- review what they want, when they can
- reject what they can't review
- use LLMs (yes, I know) to triage PRs
and pick which ones need the most
human attention and which ones can be
ignored/rejected or reviewed mainly
by LLMs
There are a lot of options.
And it's not just open source. Guess what's happening in the land of proprietary software? YUP!! The same exact thing. We're all becoming review-bound in our work. I want to get to huge MR XYZ but I've to review several other people's much larger MRs -- now what?
Well, we need to develop a methodology for working with LLMs. "Every change must be reviewed by a human" is not enough. I've seen incidents caused by ostensibly-reviewed but not actually understood code, so we must instead go with "every change must be understood by humans", and this can sometimes involve a plain review (when the reviewer is a SME and also an expert in the affected codebase(s), and it can involve code inspection (much more tedious and exacting). But also it might involve posting transcripts of LLM conversations for developing and, separately, reviewing the changes, with SMEs maybe doing lighter reviews when feasible, because we're going to have to scale our review time. We might need to develop a much more detailed methodology, including writing and reviewing initial prompts, `CLAUDE.md` files, etc. so as to make it more likely that the LLM will write good code and more likely that LLM reviews will be sensible and catch the sorts of mistakes we expect humans to catch.
> Maintainers can...insist on disclosure of LLM origin
On the internet, nobody knows you're a dog [1]. Maintainers can insist on anything. That doesn't mean it will be followed.
The only realistic solution you propose is using LLMs to review the PRs. But at that point, why even have the OSS? If LLMs are writing and reviewing the code for the project, just point anyone who would have used that code to an LLM.
Claiming maintainers can (do things while still take effort and time away from their OSS project's goals) is missing the point when the rate of slop submissions is ever increasing and malicious slop submitters refuse to follow project rules.
The Curl project refuse AI code and had to close their bug bounty program due to the flood of AI submissions:
"DEATH BY A THOUSAND SLOPS
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us.
This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter differs only in the way that we cannot immediately tell that an AI made it, even though we many times still suspect it. The net effect is the same.
The general trend so far in 2025 has been way more AI slop than ever before (about 20% of all submissions) as we have averaged in about two security report submissions per week. In early July, about 5% of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years."
The issue here is that LLMs are great for hobbyist stuff like you describe, but LLMs are obscenely expensive to run and keep current, so you almost HAVE to shove them in front of everything (or, to use your example, spread the diarrhea into everyone elses kitchens) to try and pay the bill.
Well, no, not unless it develops its own version of open source. That's kind of the point. Without healthy OSS, even AI's ability to create value would enter freefall
I pretty much always open an issue, then a PR, they can close it if they want.. I usually have 'some' idea of the issue and use the PR as a first stab and hope the maintainer will tell me if i'm going about it the right or wrong way.
I fully expect most of my PR's to need at least a second or third revision.
I like to imagine the reference in the movie margin call is that of a merry go round or a game of Musical chair. Like we are all on a ride, none of us are the operator, and all we can do is guess when the music will stop (and the ride ends).
The problem with this AI stuff is we don't know how much we will be willing to pay for it, as individuals, as businesses, as nations. I guess we just don't know how far this stuff will be useful. The reasons for the high valuation is, in my guess, that there is more value here than what we have tapped so far, right?
The revenues that nVidia has reported is based on what we hope we will achieve in the future so I guess the whole thing is speculation?
TBF, all financial market is speculation these days, what only change is the figure/percentage of how much a share is actually the value it's priced.
> The problem with this AI stuff is we don't know how much we will be willing to pay for it, as individuals, as businesses, as nations. I guess we just don't know how far this stuff will be useful. The reasons for the high valuation is, in my guess, that there is more value here than what we have tapped so far, right?
I think the value now comes on how we make a product of it, for example, like OpenClaw. Whether we like or not, AI is really expensive to train, not only in monetary value but also in resources, and the gains have been diminishing with each “generation”. Let's not forget we heard promises that have not been fulfilled, for example AGI or “AI could potentially cure cancer, with enough power”.
And if you've been watching Deepmind AI has been making advances in medical sciences at a pretty damned fast rate. So not fulfilled is a pretty weak statement. The pipeline in medical is very long.
And that's not even talking about the head spinning rate robotics is advancing. The hardware we use for LLMs is also being used in robot simulation for hardware training that gives results in hours that took weeks or months in the past.
And that is the gist of the problem, isn't it? As we approach our forties and beyond, chances are we have lived more than half our lives. So do I really want to spend hours watching something I might hate and might leave a bad taste in my mouth? (See game of thrones season 8 or worse, Westworld the HBO series which I don't even want to know what happened in season 3 or 4). I am sure there are people who will enjoy those but for the average person it is highly unlikely.
reply