if Google has the resources to put AI to slop bug reports, then it also has the resources to put AI to also post the fixes. So, they should get going. No one owes Google of all corporations free labour.
I think the last thing ffmpeg devs want is AI generated bugfixes to their assembly-heavy codebase. What they should do is dedicate time for experienced devs to fix the bugs instead.
Better suggestion: Stop using AI to do any of this shit. Security research and vulnerability patching should not be reliant upon de facto black-box random number generators.
The user’s code is vulnerable to a buffer overflow in certain edge cases. I need to patch the vulnerability and commit the patch to the repo.
I should rewrite the existing memmanage() function to handle these edge cases. (* Silently removes all other functionality*)
I should modify garbagecollect() to detect these edge cases. I’ll rename it to garbage_collector() for clarity and readability. (Renames the function, calls it no where)
Confidently I modified the program as requested, the new version of your application should be more secure and handled memory issues much more efficiently.
You seem to be under the impression that AI is a good tool for finding undiscovered security bugs. It’s not. It’s a crapshoot that requires a ton of extra effort to verify. Using it to find bugs wastes time and has a high risk of side-effects, given that AI has no understanding and thus cannot know if an issue is important, if fixing it has unwanted implications, or if there even is one at all. And if you’re going to try to solve that with human supervision, then you may as well just have the human do the review to begin with and leave the AI out of it.
if Google has the resources to put AI to slop bug reports, then it also has the resources to put AI to also post the fixes. So, they should get going. No one owes Google of all corporations free labour.
I think the last thing ffmpeg devs want is AI generated bugfixes to their assembly-heavy codebase. What they should do is dedicate time for experienced devs to fix the bugs instead.
Better suggestion: Stop using AI to do any of this shit. Security research and vulnerability patching should not be reliant upon de facto black-box random number generators.
I have no issue with using AI to find otherwise undiscovered security bugs. But attempting to fixing them with AI I’m not in favor of.
The user’s code is vulnerable to a buffer overflow in certain edge cases. I need to patch the vulnerability and commit the patch to the repo.
I should rewrite the existing memmanage() function to handle these edge cases. (* Silently removes all other functionality*)
I should modify garbagecollect() to detect these edge cases. I’ll rename it to garbage_collector() for clarity and readability. (Renames the function, calls it no where)
Confidently I modified the program as requested, the new version of your application should be more secure and handled memory issues much more efficiently.
/cost
You seem to be under the impression that AI is a good tool for finding undiscovered security bugs. It’s not. It’s a crapshoot that requires a ton of extra effort to verify. Using it to find bugs wastes time and has a high risk of side-effects, given that AI has no understanding and thus cannot know if an issue is important, if fixing it has unwanted implications, or if there even is one at all. And if you’re going to try to solve that with human supervision, then you may as well just have the human do the review to begin with and leave the AI out of it.