lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68879de1aaf4_e74a1008c@dwillia2-mobl4.notmuch>
Date: Mon, 28 Jul 2025 08:57:21 -0700
From: <dan.j.williams@...el.com>
To: Kees Cook <kees@...nel.org>, Steven Rostedt <rostedt@...dmis.org>
CC: Jakub Kicinski <kuba@...nel.org>, Sasha Levin <sashal@...nel.org>,
	<workflows@...r.kernel.org>, <linux-doc@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <konstantin@...uxfoundation.org>,
	<corbet@....net>, <josh@...htriplett.org>
Subject: Re: [RFC 0/2] Add AI coding assistant configuration to Linux kernel

Kees Cook wrote:
> On Fri, Jul 25, 2025 at 03:00:46PM -0400, Steven Rostedt wrote:
> > Also, I would argue that it would be useful in the change log as if there's
> > a bug in the generated code, you know who or *what* to blame. Especially if
> > there is a pattern to be found.
> 
> Yeah, this is where I feel like it's the most potentially useful. Since
> they are distinctly code-generators, we should include the info to
> identify it. We include version numbers and such the compilers and
> linkers, though they are only informally included in commit logs when
> dealing with specific problems.
> 
> Having had to do "find all commits from [set of authors]" research for
> security audits, I would be very unhappy if I had to do this again in
> the future for a specific Agent (used any author), and had to loop lore
> into the process. Yes, it's *doable*, but it'd be very annoying.

Oh, yes, that gives me pause. However, so too does the idea that AI
contributions, beyond mere mechanical code complete of trusted human
developers, would become more prevalent. *If* it gets to that point, I
agree that this forensic ability is necessary. Now, if it gets to that
point it also assumes that the "AI contribution review decimating human
reviewer bandwidth" problem has a mitigation.

So "doable, but very annoying" strikes me as a problem space where an AI
agent could help. It is not clear to me that a concise commit trailer
captures everything needed to help both the review and after the fact
forensics problem, especially when model fine tuning and prompting are
in play.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ