@ndevenish @David Gerard @Kevin Beaumont

Dumb security issues do not happen when poor code is injected into projects. Dumb security issues happen when pull requests are accepted without vetting. Keep in mind that humans have deliberately and accidentally introduced security issues into code bases far before AI.

You might rationalize that anyone can fork a repo and then push to it all they want, and it will have its own git repo online. GitHub and GitLab tell you were the repo is forked from. When I fork a repo for personal use I only fork the original project (if it has not died and been passed on to another maintainers repo). It is not a good idea to use anyone else's repo that is not in sync with the official repo. That is akin to using software from just any download site on MS/Windows, it is asking for issues.

This is just my take on the situation. There are always going to be security issues. Our best line of defense is being aware of what we are doing. Using good OPSEC and DEVOP. There are many features that are available on modern repo servers. Such as commits being signed to verify the person that committed them (Supported on both GitHub and GitLab). If you see that a project is not using such features, consider doubling down on your due diligence.

@Cassandrich

I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.

As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality (well maybe 'Hello world' 😉).

It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.

It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.

Have a great day!