Funny thing is that it's literally the opposite, it's the worst at stretching the imagination.

Just saw a claude commercial, and their pitch was "hey, you can use us to make a knock-off dropbox"

Their big stunt a while back was "we made a knock-off C compiler"

Everything is about making knock offs because that's what GenAI can do. It can certainly tailor the knock off in ways that were easier than what it formerly took, but roughly knock-off in their bread and butter

A generic site builder... Yeah that's pretty firmly in the reach of GenAI...

I largely agree with the sentiment that they are disconnected from the harsher reality, though I suspect it's largely knowingly, but even if 'true believers', it's a mismatch between their estimation of what it can do and what it can actually do. Nothing particularly new to 'tech bro' mindset that has been overestimating tech pretty much forever, however awesome the tech may be the tech bro thinks it's even better.

I would reserve "AI Psychosis" to people whose behavior resembles something like schizophrenia. The bcachefs guy, Kent Overstreet sincerely thinking his chatbot interactions represent dealing with a teenage girl. Richard Dawkins similarly believes Claude is sapient and is actually a woman so he renames it 'Claudia'. Then there's that case of the murder-suicide after LLM interaction amplified some schizoprhenic symptoms.

Problem is that ship sailed *years* ago, claim a bug is a 'vulnerability' and you'll probably get a CVE regardless of merit.

Given that the whole topic is *security* bugs then counting CVEs seems extremely apt, and is still grading on easy, as CVEs are actually a pretty low bar. E.g. a 'medium' CVE for ncurses exists (CVE-2023-50495). The tic compiler can segfault with malicious input. Fine, a bug, but... what is the security angle? It has a CVE despite not being a vulnerability. Then you have scenarios where someone finds a component with a bug and describes 6 different ways of making the bug misbehave and get 6 distinct CVEs for what is a common code fix. Example that comes to mind is that VIM had a bunch around it's script interpreter where malicious scripts can run arbitrary code (which is not pitched as a sandboxed environment and explicitly allows arbitrary commands already).

Also getting security researchers to agree something is a security problem is similarly easy. I have an 'advisory' here that tried and failed to get a CVE but a security company granted it a special advisory. Digging in the issue is, under certain circmstance, a person trying to make it misbehave actually *fails* to get permission to something they should have had permission to... Denying service *only* to the attacker... The deeper analysis shows this is the *only* way it could misbehave, it could only fail to acquire privilege under deliberate abuse. There's zero appetite in the industry for pushing back against pretty dumb "security" findings, so they err on the side of accepting everything could maybe be a security issue if someone says it could be.

The issue is an AI twist on a long standing problem particularly in the security industry: people standing on counts of CVEs and handing them out like candy resulting in 'vulnerability slop'. There are real issues out there, but you say 'advisory' or 'cve' and I'm not inclined to think one way or another until I look deeper, and I can't afford to look deeper into the sea of CVEs I already have to wade through.

This is true, but in part because a lot of 'security' reports are pretty bogus, even if they get CVEs and 'security researchers' call it a vulnerability, others may be inclined to roll their eyes. For example, the curl project had a write up:
https://daniel.haxx.se/blog/20...

So LLM findings I anticipate to be similar, but just a firehose of stuff to dig through to separate the real findings from the innocuous ones.

We likely will never have a grip on that, as it's generally easiest to patch the report and not think about whether it *really* was a security risk. The patch may confirm incorrect behavior being acknowledged, but not whether it was realistically a 'security' risk or not.

Yeah, I hate this in general about EV coverage. Everything fixates on 'time to charge to full' instead of 'miles replenished per time'.

To be useful, miles per minute of charge is a better figure.

The kernel isn't really worth keeping closed source.

They have to weigh the logistical burden of sharing source code they don't really care much about versus the very large and real technical burden of changing their technology stack.

I know, he didn't seem that human, but I'm pretty sure he is.

On the one hand, love seeing Musk lose, on the other hand, I hate seeing Altman win..

The problem is that you have hundreds of folks now running the exact same checks with the exact same tools and all submitting without a care for what any of the others are doing.

Dupes are nothing new, but the scale of dupes becomes gigantic because now everyone thinks "I can be a kernel security researcher now" and all have the same tools at their disposal that tend to find the same things.

As to the 'genuine bugs', don't know about this current crop, but historically "security researchers" have already been bad for "crying wolf" and reporting non-issues that they didn't understand. The highest profile I can think of was when some "security researcher" started telling everyone in the world that nintendo stores passwords in clear text because he thought the 'OK' button only activated when the password entered matched successfully, but it just lit up as soon as *any* password that passed the rules was entered. AI code review is still pretty inclined to report non-issues in a similar way, so I imagine not just dupes, but lots of nothing coming along too. Those would be *harder* to have a system automatically handle, since a human actually has to understand the report and reconciling with reality. An LLM isn't going to be very good at dismissing bogus LLM complaints.

Well, it would be nice if the submitter was on the hook for the token budget to find dupes, but practically speaking the project probably runs it.

I would probably not have an LLM automatically merging duplicate tickets. The flow should be 'pass on to human review as no apparent duplicate was detected' or 'pass back to submitter with indication of probable dupe, to let the submitter decide if they have something to add to the original ticket and/or to subscribe to that ticket. I have seen enough problems when *humans* unilaterally merge tickets that end up being unrelated, and that clutters up and confuses an issue. Don't need LLM that may be pretty good, still would be even worse than the humans at messing up 'dupe or not'.

It's a matter of what the LLM operator is pointing it at.

The LLM operator submitting the bugs aren't paying attention nor feeding their instance of LLM anything about others' submissions. So they are flooding with dupes, and the LLM has no reason to detect duplicate submissions, since it's not fed that data.

An LLM fed the mailing list and new submissions could credibly find dupes. If it fails, oh well, a dupe made it through and was annoying. If it erroneously detects a dupe, oh well, the submitter has to re-assert that it is not a dupe and is somewhat annoyed.

LLM ability to identify roughly duplicate bugs is decent enough. I don't like the hand waving of "AI can write the code, AI can review the code, AI can test the code" to absolute confidence (finding ways to expend more tokens does improve it's success a bit, especially if you can give it a 100% perfect pass/fail test to run and and let it retry), but here it's a pretty straightforward application, just a better fuzzy match at finding duplicate reports.

Yes, though I don't know about nvmeof. I feel like san style block is overall less popular than other sorts of software approaches to distributed storage nowadays.

Storage people keep pushing the way it was done with fiber channel attached controllers abstracting things to generic block devices. Shared sas, fcoe, iscsi/iser... Have seen so many tries at bringing the concept and being ignored in favor of things like clustered filesystems and object store.

Just like hardware raid controllers are nearly non existent in nvme world, and folks are managing multiple disk redundancy in the os, people are looking for more transparent storage solutions and I just don't think nvmeof plays a role instead of direct attached storage to open ended operating systems..

Dual socket epyc can have 160 lanes.

Coincidentally, 40 nvme drives at x4 would use 160 lanes.

However, that would be useless, since you need connectivity beyond the box and misc needs for pcie. So either x2 per drive or pcie switches.