GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 08:30:30 JST daniel:// stenberg:// daniel:// stenberg://

    I'm a little amazed by the amount of CVEs released by OpenSSL today: https://openssl-library.org/news/vulnerabilities/

    12(!) of them were reported by people at Aisle.

    Aisle makes an AI-powered code analyzer. That's what they use to find these flaws.

    I mean if you are curious what AI can do in Open Source security when used for good.

    In conversation about 5 months ago from mastodon.social permalink

    Attachments


    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:30:30 JST Rich Felker Rich Felker
      in reply to

      @bagder Most of "AI" is human labor misrepresented as something the machine did, to defraud customers and investors.

      I wouldn't be surprised if we find out that their "AI-powered code analyzer" did little or nothing here, and that they spent a lot of money on actual labor for the sake of promoting their product.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:35:38 JST Rich Felker Rich Felker
      in reply to

      @bagder It's certainly plausible that they find common patterns of error better than a simple grep would. But my default hypothesis will always be that this is marketing.

      In conversation about 5 months ago permalink
    • Embed this notice
      daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 08:35:39 JST daniel:// stenberg:// daniel:// stenberg://
      in reply to
      • Rich Felker

      @dalias I know that's not the case because I also have access to such tools (made by others) and as I can run them on my own code I can see what they do and what they can find.

      AI powered code analyzers is a real thing, and they make better code analyzers than the ones without the AI component.

      In conversation about 5 months ago permalink

      Attachments


    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:40:05 JST Rich Felker Rich Felker
      in reply to

      @bagder I do wonder though if you have access to the tools and the tools themselves can find the errors themselves, why it took Aisle employees reporting them in order for them to be found.

      In conversation about 5 months ago permalink
    • Embed this notice
      daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 08:43:49 JST daniel:// stenberg:// daniel:// stenberg://
      in reply to
      • Rich Felker

      @dalias all these tools, like code analyzers have for ages, find and easily report a lot of things. The filtering, the assessing and the confirming still need a human involved to get really good.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:43:49 JST Rich Felker Rich Felker
      in reply to

      @bagder Yes, so the majority of actual vuln-finding work is human labor and the AI tool is just giving you a huge list of mostly false positives...

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:47:53 JST Rich Felker Rich Felker
      in reply to

      @bagder I don't think you're "lying".

      I think you're giving undue credit to an industry that's vastly over-promising and that has extremely bad externalities. And that doing so lowers your credibility among folks who care about this.

      In conversation about 5 months ago permalink
    • Embed this notice
      daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 08:47:54 JST daniel:// stenberg:// daniel:// stenberg://
      in reply to
      • Rich Felker

      @dalias I can tell you're too busy denying this and haven't actually tried this yourself. That's fine, but also a little amusing that you thus insist that I'm lying.

      In conversation about 5 months ago permalink
    • Embed this notice
      daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 08:56:39 JST daniel:// stenberg:// daniel:// stenberg://
      in reply to
      • Rich Felker

      @dalias I have not argued against them over-promising and doing all sorts of crap. They do. And will continue to most likely. That's certainly problematic.

      What I *am saying* though, is that some of the AI (powered code analyzer) tools are better than most non-AI ones. And I think I've seen one or two in my days and I have written a line of code or two.

      AI can be used to do good. Is it worth the cost? That's a separate question.

      In conversation about 5 months ago permalink

      Attachments


    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 08:56:39 JST Rich Felker Rich Felker
      in reply to

      @bagder "AI can be used to do good." is a statement that lacks meaning without clarifying what "AI" means, and that excuses all sorts of other things under the umbrella of "AI" that fundamentally cannot be used for good. Because "AI" is and always has been a strategically vague marketing term not a technical category.

      It's likely that statistical models of source code correlated with vulnerabilities can be used for good. I don't think they can be built without massive scale license infringement enclosing the commons, nor lots of other types of harm.

      In conversation about 5 months ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        category.it
        description
    • Embed this notice
      daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 28-Jan-2026 09:06:41 JST daniel:// stenberg:// daniel:// stenberg://
      in reply to
      • Rich Felker

      @dalias > It's likely that statistical models of source code correlated with vulnerabilities can be used for good.

      Great. That seems to be roughly what I said too.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 09:06:41 JST Rich Felker Rich Felker
      in reply to

      @bagder I trust that you appreciate that "AI can be used for good" means something very different to most people who read it, and serves a very different agenda (even if it's not the one you intended).

      Choices of wording matter when we're talking about an industry that is a fundamentally fascist-aligned project.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 28-Jan-2026 22:30:05 JST Rich Felker Rich Felker
      in reply to
      • Valerie Aurora 🇺🇦

      @vaurora @bagder Then don't use the strategically vague term "AI" to say that. When you do, you unintentionally (or for some folks, intentionally) boost the credibility of everything else marketed as "AI". Name the specific technical category that's good at something.

      In conversation about 5 months ago permalink
    • Embed this notice
      Valerie Aurora 🇺🇦 (vaurora@mstdn.social)'s status on Wednesday, 28-Jan-2026 22:30:07 JST Valerie Aurora 🇺🇦 Valerie Aurora 🇺🇦
      in reply to
      • Rich Felker

      @bagder @dalias this exact case is one of my "this is what AI is actually good at" examples. It's a carefully tuned tool used on the correct problem domain by experts - perfect application.

      In conversation about 5 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.