Now that AI has become the main tool used by developers to write code, even in open source environments, it will be how feds will slip in backdoors to applications because nobody is going to review the logic of 20000 lines written by AI in a single commit.

Unless projects completely ban use of AI and only allow small commits, this is going to be inevitable. I’ve been seeing so many applications merging AI slop to their code on github already.

  • queermunist she/her@lemmy.ml
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    7 days ago

    This seems doomerish. Can’t they use AI to review the logic of commits?

    Prompting OpenClaw with “find all back doors — make no mistakes” is kind of funny, but seems viable.

    • Infamousblt [any]@hexbear.net
      link
      fedilink
      English
      arrow-up
      16
      ·
      7 days ago

      Sure, but the models can be told to ignore certain backdoors. The models also lie all the time for any reason or no reason at all. Since AI coding is not really a trust and predictablity based system there’s no way you can know for sure at any given moment that you don’t have backdoors without a human examining the code line by line, or by building your own AI that you can trust

      • unmagical@lemmy.ml
        link
        fedilink
        English
        arrow-up
        11
        ·
        edit-2
        7 days ago

        The models also lie all the time

        A coworker of mine was tasked with having an AI agent generate a security report of our latest effort. It returned about 10 things, only 2 were semi valid. The silliest one was a claim that our regex function for stripping out non-word characters was not adequate because “\w allows . characters” thereby enabling path traversal attacks. FYI, \w very explicitly does NOT allow . characters.