I looked at the rsync commit log and basically every commit since March says “tridge and claude committed.” Andrew Tridgell, the guy who literally invented rsync in 1996. Now hes using a chatbot to write the code and proudly displaying its name right there in the commit.
And before anyone goes “calm down its just a typo fix” no. The recent stuff is the security fixes for 3.4.3. The symlink race CVEs… You know, the exact part where you want an actual human who understands what hes doing, not a machine that spits out code that looks correct but has correctness errors.
Do you get how insane this is? Rsync is the thing holding up basically every backup system on earth. Your NAS uses it. Distro mirrors use it. The server with you grandmas photos uses it. And now the plan is to let a token predictor that can’t even count the amount of letter R’s in “strawberry” write code for it.
“But the tests pass.” The tests pass because the AI probably wrote the tests too you walnut. Its a loop of confident nonsense thats grading its own homework, and the first time it hits an edge case nobody fed it its gonna silently corrupt something and noone notices till the backups are already poisoned.
I’m pinning v3.4.1 and not updating again. If you defend this, dont say nobody warned you when the data loss posts start appearing.
You must log in or # to comment.
I wonder if I still have any of those Linux CDs I burned years ago
Well… That’s one way to ask the community to take-over maintenance.
They’re not asking.
Did they really need AI to set a number to 45?!? Also you can do this centrally in the repo settings and don’t need to do it on every single workflow!
Conclusion: Garbage code
This is what AI does…it “removes the friction” of doing large scale find and replace operations consistently so your whole repository becomes terrible, repetitive patterns because it made it much easier to do the wrong thing.
My question is if that number is set/used separately in all those places why isn’t it defined somewhere more centrally. It’s silly that you need to update so many files for such a simple change.
I once worked with a dude that basically maintained what would’ve been a database in a reasonable code base through a series of data structures hard-coded into the Java code. When there were changes, he would roll through the dozens of files and add additional records into the code. AI has probably made his “job” a snap…if he still has one.
OpenBSD forked it a while ago as “openrsync”. It’s already the default on macOS.
Nice!
https://github.com/kristapsdz/openrsync
This is an implementation of rsync with a BSD (ISC) license. It’s compatible with a modern rsync (3.1.3 is used for testing, but any supporting protocol 27 will do), but accepts only a subset of rsync’s command-line arguments.
But also:
The actual work of porting is matching the security features provided by OpenBSD’s pledge(2) and unveil(2). These are critical elements to the functionality of the system. Without them, your system accepts arbitrary data from the public network.
rsync has specific running modes for the super-user. It also pumps arbitrary data from the network onto your file-system. openrsync is about 10 000 lines of C code: do you trust me not to make mistakes?
Since a senior engineer is clearly in the loop here I wouldn’t pass judgement on these commits without looking at their actual content. LLMs can be used responsibly, too.
There are reported bugs https://mastodon.gamedev.place/@JeremiahFieldhaven/116654345332213390
The thing is, LLM can theoretically used be responsibly, just like heroin can be used in a way that doesn’t cause crippling addiction. But nobody does that, and that’s kind of the problem.There was also a little debacle a while ago that VS Code was misattributing everything committed in git by users with its default CoPilot extension as being co-written by CoPilot.
Something like that could also be happening here.
Yeah the role of the maintainer is to gatekeep the quality of the finished product. As long as they do that it’s fine. The contributor could be a clanker or a junior trying to get their first PR, I don’t care cause the person I trust is the maintainer.
Rsync’s creator has been maintaining load bearing infra since before I learned to code, if you can’t trust them who can you trust?
Fuck all clankers.
There is a massive difference between a vibe coder accepting whatever the LLMs writes without understanding any of it and an engineer who understands the codebase and reviews what the LLM produces. Whether the maintainer reviews the output of LLMs rigorously like any random pull request or not, is not verifiable, thus it’s not worth discussing.
Edit: For clarification, the part I meant by “not worth discussing” is whether the maintainer reviewed the output of the LLM, not the overall discussion of using LLMs for code.
Whether the maintainer reviews the output of LLMs rigorously like any random pull request or not, is not verifiable, thus it’s not worth discussing.
No. It’s worth discussing, it is destroying confidence in the product.
Edit: wheezy@lemmy.ml was more eloquent.
Whether the maintainer reviews the output of LLMs rigorously like any random pull request or not, is not verifiable, thus it should be assumed they did not.
FTFY.
But then what makes you assume they reviewed the output of human contributors for the last 30 years? What makes you assume anybody does?
Literal human interactions that are well documented through a peer review processes that has been standard for decades in the industry?
Like, this process doesn’t have to be perfect. But the bar is really low when we’re discussing “trust me bro” and seeing AI commits going in.
I don’t understand. There’s a ton of PRs on rsync where some rando contributed some code, tridge thanked them and the PR got merged. No comments, no conversation, just code => thanks => merged. How do you know any kind of peer review has happened before the merge ? What makes you trust that this specific rando on the internet didn’t introduce any kind of regression or security issue ?
You likely have had rsync on your machines for years or even decades, and you didn’t even know a guy called
tridgeexisted and you depended on them. You trusted them with your vital infrastructure. Did you audit the guy or personally review his various contributions ? Did you re-audit now and find some quality drop other than some screenshot on mastodon ?Changing opinions so radically on such flimsy evidence doesn’t sound too rational to me. In fact it reeks of distinctly “right-wing thinking”, a moral panic that tries to remain fact-free and exist in its own bubble universe with no willingness to connect to reality, because the outrage is too delicious to let facts ruin it. It sounds like a test of spiritual purity, not a discussion on engineering practices.
I swear there’s no individual thought going on in these idiots heads. AI BAD OOGA BOOBGA. CHAT JIPPITY CODE BAD
Projecting.
Saw a post somewhere else on it but my instance can’t load it now for some reason.
Anyways, here’s the Discord dump for those who don’t want to join (Tor not allowed, sorry I don’t have a better file host, AI brought down 0x0.st). No further commentary.
I’m sympathetic to this.
To summarize what’s going on: This is a tool used everywhere in the world, and yet the developer is one single guy who is unpaid for its maintenance. He’s saying no one else volunteers. I wouldn’t be surprised if that’s not literally true but it’s probably true after reasonable vetting, he can’t just accept any guy named Jia Tan who asks to contribute.
Something AI actually has been demonstrably useful for is finding security holes in software. With the advent of AI, tons of FOSS software is flooded with vulnerability reports, they won’t all be accurate but some will and need to be addressed, especially for critical software like rsync that basically everyone uses. I know the kernel maintainers have been completely overwhelmed by the number of fixes needed, and obviously they’re a bigger project but they are also compensated for their work. This is a ton of extra work to add onto one single guy whose paying job is not working on rsync.
I don’t think it’s reasonable to be upset with this guy. We should be more upset about the countless number of organizations that can easily afford to pay a couple developers to put time into a tool they use on a regular basis, but instead choose to say that funding development is someone else’s problem.
Just as a personal opinion, I think a developer with decades of experience on a critical tool probably deserves the benefit of the doubt with intuiting the pitfalls and what to be careful of with AI use in coding. I think the lack of time is more problematic for code quality than AI use in this specific instance. I’m more opposed because I think someone who is still gaining experience being allowed to rely on it will be disastrous, and any allowed usage normalizes it. (Although I’m also opposed because of a disdain for generative AI as a whole.)
he doesnt owe the world anything, and it does his reputation worse service to output garbage than to move slowly
While you criticize someone for just accepting things, you didn’t check if that is actually the case?
Use the last non vibe coded version
If its bad code then you can audit it and claim those bug bounties. Its a well known project with a lot of eyes on it I think the quality will remain high.
It’d already causing breaking changes:
lot of eyes on it I think the quality will remain high
This was bullshit when Raymond argued it in the 90s and it’s even more bullshit now.
it is bullshit because there are no “lot of eyes” on the project. not because the statement is wrong!
deleted by creator
