Andrew Tridgell, developer of rsync, has published a blog post addressing the massive surge in “AI” code submissions and the string of regressions supposedly caused by them. He explains rsync was flooded with “AI”-generated security reports, and he couldn’t handle the volumes anymore.
As this flood started to get more intense I realised I needed to raise the defences on rsync a lot — we needed much more thorough test suites, code coverage analysis, CI testing on a lot more platforms, deliberate and thorough scanning for possible security issues (so I find at least some of them before other people!) and the addition of a whole lot of defence-in-depth hardening techniques. This is all a huge amount of work. I’m retired (though my wife may dispute that!) and I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done. I have absolutely no regrets about doing that, although from the storm of anti-AI rage it’s clear that many people think I should be hung up by my toe nails and flogged for even considering doing this.
↫ Andrew Tridgell
The entire rsync codebase is around 65k lines, and the recent flood of “AI”-generated submissions amount to +16k/-6k lines of code within a few weeks. That’s an absolutely insane amount of changes in a really short time to a project that most people deemed stable and “done”. If you take a look at the activity graph, it’s clear that a project that was silently and carefully doing its job is seeing a massive amount of changes, almost exclusively generated by “AI”, all in recent weeks. It’s no surprise, then, that people get annoyed when something they deemed “done” and stable is suddenly causing issues for them because its maintainer decided to open the slopgates.
Tridgell is, of course, an incredibly accomplished and capable programmer, but so is Kent Overstreet and he thinks his “AI” girlfriend is sentient and conscious, he reprogrammed it1 after someone convinced his “AI” girlfriend was lesbian and trans, and he thinks that he gave his “AI” girlfriend an orgasm2, so being an accomplished and capable programmer doesn’t mean you’re immune from “AI”-hyperbole, or worse, “AI”-induced psychosis.
Tridgell’s blog post already has all the usual talking points from “AI” techbros about how the tools sucked last [year][month][week] but they’re good now, trust me I know how these tools work, humans are actually the same as these “AI” tools, really what is intelligence anyway, and yeah we got a whole slew of new issues caused by the “AI” code but more “AI” code will surely fix that, and so on. There’s some red flags that give me the ick, because I’ve seen them all before from people entirely losing themselves in “AI” hype.
Tridgell also takes pot shots at openrsync, a reimplmentation of rsync developed by the OpenBSD team, also shipped by default on macOS. Openrsync has nothing to do with any of the current issues rsync is facing, as the project was started way back in 2018 or so. Taking pot shots at this project in this particular blog post feels childish and unnecessary, and reeks of insecurity; focus on the issues your own project is facing before attacking some other project. This feels like another red flag.
Quite a few people have experienced regressions with rsync in recent weeks, but it seems like more are going to come as the slopgates will remain open, and will probably be opened even further. For such a cornerstone open source project, that raises a lot of questions, and I’m sure there’s quite a few people pondering if they should, perhaps, switch to openrsync – just like Apple did.
- In case you don’t realise just how creepy and weird this really is – imagine if you had thoughts, ideas, or convictions your partner didn’t like, and their first response was “I’m going to delete your memories and reprogram you”. If you think something is sentient and conscious, and your first reaction to them saying or doing something you don’t like is to delete their memories and reprogram them, you’re a controlling creep. ↩︎
- Many of the blog posts “written” by Overstreet’s “AI” girlfriend tend to disappear. Funny, that. ↩︎
If only there were multiple episodes of Star Trek that addressed this exact thing…
The main determiner of good use of AI assisted coding is code reviews.
Be ready to push back, and refuse code even if it achieves stated goals, even if you really need that functionality.
Unless it is a throw away script, you should be able to read and understand every line of code. Otherwise you would not know what edge cases are missing, what is catastrophically incorrect, and how many ways it exposes your privacy and security to the outside world
“I’m sorry, I put the AWS hidden auth token there. It was convenient for the UI to just pick it up”
I’m reminded of “I don’t want your PRs anymore”.
— https://dpc.pw/posts/i-dont-want-your-prs-anymore/
I understand where hes coming from but also he sounds insufferable
Thom, I’m not a fan of this barrage of AI coverage, not because of the opinions you express, but because AI has become an infatuation. It’s kind of like Captain Ahab and Moby Dick. We keep covering the exact same topic over and over again. You’re entitled to cover whatever you want, obviously, but it seems like all you want to talk about these days is AI. I really enjoy when you cover all kinds of oddball topics and you are great at that. I’ve gotta say I’ve learned so much here from you that I truly wouldn’t have gotten anywhere else; and I genuinely thank you for that. AI needs to be covered, but just keep in mind there’s more to life than whales.
There seems to be a few issues at play with this one. Most of the new rsync code does seem to be the test suit, and the bug that kicked off this whole thing does seem to now be fixed. People are however scrutinising rsync a bit more which has lead to the uncovering of several more actual bugs that were present before the ai-helped release. You then also have a second group of people that are arguing in the github issues, rsync HAS that gitjub discussions section for the purpose of discussions so i do feel a bunch of this should have been done there and not in the issue tracker