@Alper_Celik similar to previous ones. It talks about potential problems with functions but the actual code has the necessary checks and when I ask follow-ups it is super pollite and continues to ramble without pointing out specifics. I'm getting better at spotting the pattern.
"This experience has unfortunately made me reconsider my support for curl"
I'm sorry you feel that way, but you need to realize your own role here. We receive AI slop like this regularly and at volume. You contribute to unnecessary load of curl maintainers and I refuse to take that lightly and I am determined to act swiftly against it. Now and going forward.
You submitted what seems to be an obvious AI slop "report" where you say there is a security problem, probably because an AI tricked you into believing this. You then waste our time by not telling us that an AI did this for you and you then continue the discussion with even more crap responses - seemingly also generated by AI.
By all means, use AI to learn things and to figure out potential problems, but when you just blindly assume that a silly tool is automatically right just because it sounds plausible, then you're doing us all (the curl project, the world, the open source community) a huge disservice. You should have studied the claim and verified it before you reported it. You should have told us an AI reported this to you.
I'm sorry you feel less enthusiastic about curl now because of this. I hope you after some time in a future will come to reassess what happened here and maybe even understand why we act the way we do.
and (without following this specific encounter) the obvious: The way the reporter allegedly changed their opinion on curl should have been a change of opinion on LLMs and "AI".
Yes, there was disappointment and as a result frustration. But please, attribute it to the actual source, namely the tool having generated the slop report and not to the messenger or even the expert, telling you the report is slop.
@nils_ballmann sure, but I think it is completely human to feel a bit hurt when being shut down like that. Even if they brought it on themselves so to speak. I did my best.
It's IMHO also normal, that it's really hard to redirect this disappointment/frustration/pain towards the actual source. Both as the person friendly and cautiously doing it, as well as the person (forcefully) having to re-evaluate their choices.
And usually, denial is the easiest way out. I just hope that one day, it will get better and people start face their own mistakes.
This is something that I admire with the people around curl: Trying to cultivate a culture in which it's okay that mistakes happen, must be fixed and can be learned from.
@NeoFox @kyle_pegasus apparently I can't disclose them after I mark them spam, which is a bit of a bummer. But it follows the pattern closely of the previous AI report we got that I disclosed: hackerone.com/reports/2871792
## Summary:
The vulnerability in the program arises from a classic buffer overflow, triggered by the unsafe use of the strcpy() function without bounds checking. The program copies data from a...
@kyle_pegasus Gotcha, no worries Daniel, this is educational enough, thanks!
Also, thanks for all of the work you've done on curl! I genuinely had no idea it was maintained by such a small team before; really reminds me of that XKCD where 90% of the internet relies on some open source project that someone has been thanklessly maintaining, haha.
"I want to report that my instance of ChatGPT has imagined a vulnerability in your software." "That's great, my instance of ChatGPT has imagined you got paid. Bye now."
Alper Çelik
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Alper Çelik • • •TanukiSec
in reply to daniel:// stenberg:// • • •Certain names make ChatGPT grind to a halt, and we know why
Benj Edwards (Ars Technica)Spindel
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •"This experience has unfortunately made me reconsider my support for curl"
I'm sorry you feel that way, but you need to realize your own role here. We receive AI slop like this regularly and at volume. You contribute to unnecessary load of curl maintainers and I refuse to take that lightly and I am determined to act swiftly against it. Now and going forward.
(cont)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •You submitted what seems to be an obvious AI slop "report" where you say there is a security problem, probably because an AI tricked you into believing this. You then waste our time by not telling us that an AI did this for you and you then continue the discussion with even more crap responses - seemingly also generated by AI.
(cont)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •By all means, use AI to learn things and to figure out potential problems, but when you just blindly assume that a silly tool is automatically right just because it sounds plausible, then you're doing us all (the curl project, the world, the open source community) a huge disservice. You should have studied the claim and verified it before you reported it. You should have told us an AI reported this to you.
(cont)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •What tells me this is AI slop;
1. The wall of text that is too long and unspecific, talking about a potential problem
2. The over-politeness when asked to clarify and provide more info. Humans rarely speak like that.
3. The inability to become specific when asked. It can't point out the flaw exactly, because it does not actually know about any flaw.
(cont)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •I'm sorry you feel less enthusiastic about curl now because of this. I hope you after some time in a future will come to reassess what happened here and maybe even understand why we act the way we do.
Now, let's go back to improving curl.
Thanks
gclef
in reply to daniel:// stenberg:// • • •Certainly a more thorough and thoughtful reply than was deserved.
Keep up the excellent work Daniel. Enthusiastic kudos to all the #curl maintainers.
Nils Ballmann
in reply to daniel:// stenberg:// • • •and (without following this specific encounter) the obvious: The way the reporter allegedly changed their opinion on curl should have been a change of opinion on LLMs and "AI".
Yes, there was disappointment and as a result frustration. But please, attribute it to the actual source, namely the tool having generated the slop report and not to the messenger or even the expert, telling you the report is slop.
daniel:// stenberg://
in reply to Nils Ballmann • • •Nils Ballmann
in reply to daniel:// stenberg:// • • •yes, exactly. And that's perfectly normal.
It's IMHO also normal, that it's really hard to redirect this disappointment/frustration/pain towards the actual source. Both as the person friendly and cautiously doing it, as well as the person (forcefully) having to re-evaluate their choices.
And usually, denial is the easiest way out. I just hope that one day, it will get better and people start face their own mistakes.
This is something that I admire with the people around curl: Trying to cultivate a culture in which it's okay that mistakes happen, must be fixed and can be learned from.
Kyle
in reply to daniel:// stenberg:// • • •NeoFox
in reply to Kyle • • •daniel:// stenberg://
in reply to NeoFox • • •curl disclosed on HackerOne: Buffer Overflow Vulnerability in...
HackerOneNeoFox
in reply to daniel:// stenberg:// • • •@kyle_pegasus Gotcha, no worries Daniel, this is educational enough, thanks!
Also, thanks for all of the work you've done on curl! I genuinely had no idea it was maintained by such a small team before; really reminds me of that XKCD where 90% of the internet relies on some open source project that someone has been thanklessly maintaining, haha.
Hope you enjoy the rest of your day!
dbread
in reply to daniel:// stenberg:// • • •This is my favourite response where I feel you:
"You then waste our time"
#ai
@bagder
Jernej Simončič �
in reply to daniel:// stenberg:// • • •Harry Sintonen
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Harry Sintonen • • •Tim Clevenger
in reply to daniel:// stenberg:// • • •"This experience has unfortunately made me reconsider my support for curl"
well_bye.gif
daniel:// stenberg://
Unknown parent • • •Alun Jones
in reply to daniel:// stenberg:// • • •"That's great, my instance of ChatGPT has imagined you got paid. Bye now."