Thread - Nostr Hypermedia

Hardly anyone talks about how AI is actually pretty positive for the open source software scene, especially when it comes to verifying the source code. With OSS, it's always like, everything's out in the open, you can check it yourself, but barely anybody does that in real life. First, you gotta understand code in as many programming languages as possible, and then you have to slog through the whole thing to find the relevant parts you wanna inspect. Who really does that? Who has the know-how, the time, and the patience for it? So the verification just doesn't happen, with people thinking, "oh, there are probably some nerds out there who've already checked it". That might hold up for a bunch of popular OSS projects, but what about the smaller, lesser-known ones? With AI, that has become super easy now, even for folks who aren't software developers. No matter what language the code is in, you can just unleash your agent on the repo and have it scan everything. You can even run a full security audit on the software. Well, at least on a surface level, since it still takes a bit of experience to ask the right questions. We always say "verify, don't trust". That's gotten a whole lot simpler now.

Replies (2)

ishaq 1 month ago

It's a good assistant to help one get familiar with a project. It may also flag well known problems/patterns. But for anything more sophisticated, AI will at least struggle if not outright fail. Auditing a codebase that's hundreds of thousands of lines of code requires a lot of context and reasoning. AI can keep context, albeit at an increased cost but reasoning is beyond current AI's capabilities.

nomadshiba⚡ nomadshiba@npub.name 1 month ago

tho code can tell ai to say something else. also even if its open-source exploits might still exists. so sandboxing and containerizing is the safest option when it comes to security of the software. but again sandbox itself might have exploits that let's you escape it. but still the safest.