This is like a human cell goofing up its p53 genes and deciding that being cancer is good actually.
FWIW, Rsync dev has written this blog post from his point of view: https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0
Wew, that is a rich text…
…The 3.5 release will raise the bar enormously with regards to rsync security, but it is a huge change…
o no
Barely skimmed it, but it says stuff like
for the people saying things like “I’m a PhD from xyz uni and I’m telling your LLMs are just stochastic tools that make everything up and the world will fall apart if you use them”, I’m here to tell you that you are out of date. The world of software engineering has changed dramatically in the last few months.
which is sold-in-dumpster-alley quality copium, and also that version 3.5 is going to “raise the bar enormously with regards to rsync security”, so I guess we’re looking at a notably vibe coded security model for rsync going forward?
it’s amazing how once the LLM cooks these guys they all start spewing the same crap
version 3.5 is going to “raise the bar enormously with regards to rsync security”
did rsync previously have a particularly flawed security model? it sounds like it had a couple of CVEs that this asshole decided to slop out fixes for, alongside breaking a bunch of parts of rsync. maybe somebody showed him mythos (which is fucking terrible at finding vulnerabilities when it’s not backed by a bunch of invisible labor doing the actual work or just finding bugs that originated by letting Claude or some other LLM loose on the codebase) and that pushed him over the edge?
That was a nice detailed explanation. The description of the way the tests degenerated was really worrying. Even some boosters insist the tests need careful human oversight.
Has anyone run the set against the recently added coverage support? Do we know if there where test cases for the CVE behaviour before the faulty patches were added?
This is a person who requested contributors who is suffering under an onslaught of AI generated bug reports and people who know this project is in maintenance mode adding to that by making requests for QOL updates but who won’t actually contribute to the project in any way.
Using AI because you’re overwhelmed sucks but I don’t have the ability to step up and help. If you do, then by all means.
Yes, people and companies should step up.
No, the answer isn’t replacing the test suite with nonfunctional slop and running it as root.
It’s all so amateurish and bizzare that my first thought was that someone stole the maintainer’s account. I guess nobody’s immune to the siren call of the slot machine.
It’s unjustifiable bullshit.
It feels like someone being overwhelmed/exhausted to the point of saying “fuck it, I don’t care anymore” and afterwards rationalising the use of LLMs as the only way they can keep up, while simultaneously falling for it’s addiction. It does demonstrate why relying on one-man projects without chipping in is risky. Unfortunately the companies that rely on it are probably also captured by the bubble so they won’t think so.
overwhelmed/exhausted
In the blog he posted afterwards he says he has 40 years of experience, so he is also grandpa old.
